Topic: security

[Colin Mattoon]

Our company is using e-smith 3.0 solely as a dialup gateway to the Internet. We are scheduled to convert to dedicated connection within the next three weeks (famous last words).

When that happens, we will host our own mail and a small web site for our customers, in addition to using the e-smith as our LAN firewall. (We don't have a need for file sharing, etc.)

Our ISP repeatedly advised against this, suggesting instead that we set up two e-smith machines (one for mail, one as www server) with a port forwarding router between them and the Internet, and a third machine (probably e-smith) as our private LAN's firewall.

They cite security, not performance, as the reason. (The ISP has extensive Linux and FreeBSD experience and knows that my AMD 266 can handle the load with ease.)

Since my application seems tailor-made for the e-smith server, my question is this:  Has anyone at this forum actually had a problem wherein hackers from the outside world rooted, or otherwise compromised an e-smith server? That is, aside from something like a DOS attack?

I've searched this forum, and while it appears that some have had attempts made on their e-smith machines, I have found no evidence that anyone has actually been hacked.

Am I being naive in ignoring their advice? Computers are getting cheaper, but I would still prefer to use one moderately powerful e-smith machine than three, plus another box as a port forwarding router. That's why I purchased the e-smith media in the first place!

Any input would be greatly appreciated.

Colin Mattoon

[Elcamino]

its all in your config I think.  if pub ftp/telnet is diabled and you run the latest version of bind I would say you are rather safe.  You might try joining some linux/security mail lists to keep on the latest holes.  also be sure to follow a good password policy.


just my .02

[Colin Mattoon]

Elcamino:

Thanks...I've already pretty much decided that I will use a single e-smith machine.  If somebody was hacked, I would have expected to read about it in previous posts.

BTW: have you seen UN-succesful attempts to get in?

Colin

[Charlie Brady]

Colin Mattoon wrote:

> Our ISP repeatedly advised against this, suggesting instead
> that we set up two e-smith machines (one for mail, one as www
> server) with a port forwarding router between them and the
> Internet, and a third machine (probably e-smith) as our
> private LAN's firewall.
>
> They cite security, not performance, as the reason.
...
> Since my application seems tailor-made for the e-smith server,
> my question is this:  Has anyone at this forum actually had a
> problem wherein hackers from the outside world rooted, or
> otherwise compromised....

Not that I know of. Actually the main reason that your security will be increased if you have a seperate firewall is that you
will be less susceptible to internal security attacks. Most
computer security problems come from the internal side. You will
be that little bit more secure if your users have no access at
all to your firewall system.

There is no single correct answer to this - it's up to your judgement whether you should follow their advice or not.

Charlie

[Colin Mattoon]

Thanks Charlie...As a non expert, I was puzzled by the ISP's recommendation. Except for the system all being on one box, with one root password, I couldn't see why the e-smith should be more vulnerable than four individual boxes based on RedHat.

As I was reading Charlie's post, it finally occured to me: The ISP provides (and charges for) a rack mounted firewalling system. Takes a while, but things do begin to sink in...

[Tommy Tong]

Seriously though, sometime in the fall, I can't remember exactly when, I had a bit of an episode with the Rogers @home people. My e-smith (at the time 3.0) box was chugging along fine, providing shared access to me and two other users in my apartment for months without a re-boot. Periodically, as all of us with @home have grown accustomed, their DNSs would go down but with a little bit of patience, everything would start working again. Not even a reboot is required.

This time though, things had been down for three days so I called Rogers and they said that they unbound the IP address for my cable modem because I was "running an insecure mail server program and someone is using this to spam". I had a stock e-smith set-up and all settings were default. I was not even using any of the e-mail functions because we all have continued using our Hotmail for all e-mail (don't trust the @Home e-mail servers). I ran the cable modem on my machine for a while directly connected to the cable modem (and felt very "naked" doing so) until the e-smith box could be totally re-done with all the new patches. The integrity of the server itself had never been compromised and I realise that there was a patch available right away that fixed the problem--my point in this post is just to say that though I was never "hacked", I did encounter a problem that resulted in some downtime for me and my users (no big deal in my case, it was just my sister and roommate).

This incident was a point for my friend that believes that hardware appliances (like the Sonic Firewall) are the way to go.

Me, I'm too poor to buy fancy stuff like that so I am quite satisfied with the performance and feature set of e-smith.

Keep up the good work!

[Colin Mattoon]

Thanks, Tommy -- I'll either get the patches or upgrade to version 4.X

[Shadow]

i have encounted the problem with spam, although i dont use this server i was spamed, and tracked it back to an unsecure page hoseted by this server

[Joseph Morrison]

Hello Shadow,

> i have encounted the problem with spam, although i dont use
> this server i was spamed, and tracked it back to an unsecure
> page hoseted by this server

Can you explain more about this? I don't quite understand what you mean. It's true that e-smith 2.0 and 3.0 shipped with an open SMTP relay, which - although it did not allow anyone to hack through the e-smith firewall - did allow third parties to route spam through an e-smith server.

We put out a patch for 3.0 several months ago to fix this problem. It is not a problem in 3.1 or later versions.

Best regards,
- Joe